When you create an encrypted DB instance with Amazon RDS, Amazon RDS creates an encrypted
EBS volume
on your behalf to store the database. Data stored at rest on the volume, database
snapshots,
automated backups, and read replicas are all encrypted under the KMS CMK that you
specified when
you created the DB instance.

Amazon RDS encryption context

When Amazon RDS uses your KMS CMK, or when Amazon EBS uses it on behalf of Amazon
RDS, the service
specifies an encryption context. The encryption context
is additional authenticated
data (AAD) that AWS KMS uses to ensure data integrity. When an encryption context is
specified for an encryption operation, the service must specify the same encryption
context
for the decryption operation. Otherwise, decryption fails. The encryption context
is also
written to your AWS CloudTrail logs to help you
understand why a given CMK was used. Your CloudTrail logs might contain many entries
describing the
use of a CMK, but the encryption context in each log entry can help you determine
the reason
for that particular use.

At minimum, Amazon RDS always uses the DB instance ID for the encryption context,
as in the
following JSON-formatted example:

{ "aws:rds:db-id": "db-CQYSMDPBRZ7BPMH7Y3RTDG5QY" }

This encryption context can help you identify the DB instance for which your CMK was
used.

When your CMK is used for a specific DB instance and a specific EBS volume, both the
DB
instance ID and the EBS volume ID are used for the encryption context, as in the following
JSON-formatted example: